Top Free Security Testing Tools

Security testing is sometimes thought of as being hard to automate or a testing process that lacks tools and resources to help make it easier to learn.

I find most testers are not even aware of the amount of free, open-source security testing tools available to them.

This is a shame because I believe the next wave of DevOps is adding security tests to our pipelines. There’s even a name for this next wave: DevSecOps.

I thought I’d create a quick resource to point you to some security tools that you can start trying out.

Below are some of the best ones I’ve found or have heard about.

DevSlop

I recently interviewed Tanya Janaca, who told me about her project, DevSlop.

You’re probably aware that modern applications often use APIs, microservices and containerization to deliver faster and better products and services.

This changing landscape means security folks need to step up their game. DevSlop (“Sloppy DevOps”) is an exploration into this area via several different modules consisting of pipelines, vulnerable apps, and The DevSlop Show.

If you’re looking to start learning more about adding security to your DevOps pipeline, this is good resource to start with.

Exercise in a Box

Exercise in a Box is a free online tool from the National Cyber Security Centre in the UK. It helps organizations find out how resilient they are to cyber attacks and practice their response in a safe environment.

The service provides exercises based around the main cyber threats that your organization can do in its own time, in a safe environment, as many times as you wish. It includes everything you need for setting up, planning, delivery, and post-exercise activity, all in one place.

It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and supports both binaries (APK, IPA & APPX) and zipped source code. It can also perform dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner.

In the spirit of DevSecOps, MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless.

Needle

Needle is the MWR’s iOS Security Testing Framework, released at Black Hat USA in August 2016. It is an open- source, modular framework and its goal is to streamline the entire process of conducting security assessments of iOS applications. It also acts as a central point for you to perform all these security activities.

Needle was designed to be useful not only for security professionals but also for developers looking to secure their code.

Some examples of testing Needle can help you with are:

Data storage

Inter-process communication

Network communications

Static code analysis

Hooking

Binary protections.

Needle’s only requirement to run effectively is that you use a jailbroken device.

Frida

Frida is a dynamic instrumentation toolkit for developers, reverse engineers, and security researchers. I first heard about it from Jahmel Harris, an ethical hacker, security testing expert and founder of Digital Interruption, who highly recommended it.

Frida is a framework or toolkit for instrumentation also known as application hooking.

On the Frida website, it says to inject your scripts into a black box process. Hook any function, spy, crypto API or trace private application code.

No source code needed.

What is application hacking?

Application hacking means you can change how an application works at runtime by injecting your code into the process.

This effectively means we can have our own code run instead of the original code, or within call functions internal to an application, whenever we choose.

This ability can be incredibly helpful when performing penetration tests. This technique can be useful for forcing errors into an application, such as injecting sleep or reading specific data from a file or network.

To see an example, be sure to register for Secure Guild and view Jahmel’s session on Hacker Tools for Developers and Testers How to Add Security tests into the Pipeline which contains a demo on how to set up and use Frida for this purpose.

He will also demonstrate how to adapt Frida so that you can use it in your CI pipeline.

Tamper

Tamper Chrome is an extension that allows you to modify HTTP requests on the fly and aid in Web security testing. Tamper Chrome works across all operating systems (including Chrome OS).

Tamper Chrome also allows you to monitor requests sent by your browser as well as the responses.

You can also modify requests as they go out, and to a limited extent change the responses (headers, CSS, JavaScript or XMLHttpRequest responseText).

Astra

Their GitHib page mentions that security engineers or developers can use Astra as an integral part of their process so they can detect and patch vulnerabilities early during the development cycle. Astra can automatically detect and test login and logout (Authentication API), so it’s easy for anyone to integrate this into a CICD pipeline. Astra can take API collection as an input, making it able to tests APIs in standalone mode.

Example of the types of security tests you can perform with Astra are:

Pacu

Pacu is an AWS exploitation framework, designed for testing the security of Amazon Web services.

Taipan

Taipan is an automated web application vulnerability scanner that allows identifying web vulnerabilities in an automatic fashion. This project is the core engine of a broader project which includes other components, like a web dashboard where you can manage your vulnerability scans, download a PDF report and a scanner agent to run on a specific host.

Archery

Archery is an open source vulnerability assessment and management tool which helps developers and pentesters to perform scans and manage vulnerabilities.

Archery uses popular opensource tools to perform a comprehensive scanning tool for web application and network. It also performs web application dynamic authenticated scanning and covers the whole applications by using selenium. The developers can also utilize the tool for the implementation of their DevOps CI/CD environment.

Retire.JS

Have a bunch of javascript that you would like to scan for different types of and vulnerability?

Try Retire.JS which can scan your code for use of JavaScript libraries with known vulnerabilities

mitmproxy

Need a way an intercepting proxy for your security testing and be able to run it from the command line?

Check out mitmproxy which is one of the highest rated (14,997 stars) on GitHub. Their GitHib page describes it as An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

Metasploit Framework

Metasploit Framework is one of the more popular penetration testing tools out there. It was designed specifically for penetration testing—like how to attack MS SQL, browser-based and file exploits, and social engineering attacks. This is one of the main tools used by hard-core security professionals.

Metasploit contains a suite of tools that can help you do things like performing attacks and test security vulnerabilities. It contains a number of different modules that can test your application against common vulnerabilities that many hackers exploit. You can also use it to develop your own exploits. In Metasploit, a module is a software component that performs a chosen attack on a specified target.

With Metasploit, you run commands that choose a module that contains an exploit that you want to run against your application in order to try to break it. For example, many REST API’s rely heavily on SSL.

Using Metasploit, you can test your system to see how it handles common SSL exploits like the infamous Heartbleed vulnerability. Metasploit has hundreds of exploits you can use and, of the three tools we’ve covered, is the most complicated. But it also offers the most penetration testing-specific features.

Selenium

Umm… what is Selenium—a functional automation testing library—doing on this list?

Well, believe it or not, there are many ways to leverage existing functional automated tests to also include security testing.

For example, in his Secure Guild session on integrated security testing, Morgan Roman will demonstrate how he leverages his existing Selenium tests to check his applications for cross-site vulnerabilities.

This works mainly by taking existing Selenium tests (or any other kind of test) and then adding a simple security payload to it, and finally injecting some extra detection into it.

This may seem complex at first, but he’ll show us just how simple it is. Register for Secure Guild and check out his session now

ZAP

Speaking of Selenium, another popular way of expanding its capabilities is to use it with the OWASP Zed Attack Proxy (ZAP).

ZAP can help you automatically find security vulnerabilities in your Web applications while you’re developing and testing your applications. It’s also a great tool for experienced Pen testers to use for manual security testing.

Many testers have leveraged ZAP within their Selenium tests to help with their security testing efforts.

Secure Guild

As you can see, there are many tool options available to testers who are looking to get more familiar with Security Testing.

Also, if you are just beginning your security testing career, another resource you should check out is Secure Guild, an online conference 100% dedicated to security testing. Learn more here.

0comments

Click here to add a comment

Leave a comment:

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

Comment

test.allTheThings() with Sauce Labs, the largest Continuous Testing cloud for web and mobile apps. Test free for 14 days.

Copyright text 2019 by Joe Colantonio | TestTalks Privacy Policy Disclaimer All the contents of the Blog, EXCEPT FOR COMMENTS, constitute the opinion of the Author and the Author alone; they do not represent the views and opinions of the Author’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the Author is a part of. Privacy Policy | Sitemap